Capturing and analyzing encrypted HTTPS communications

More and more web applications typically encrypt communications with a user browser using Transport Layer Security (TLS), making determination of how the web application works more difficult. However, as part of patent analysis it can be quite helpful to peek into client-server communications to better ascertain how functionality works.

Packet capture tools such as Wireshark capture all Ethernet communications at a network adapter, and so cannot see inside encrypted packets like TLS packets used for securely transferring data via Hypertext Transfer Protocol Secure (HTTPS). TLS encrypts packets using symmetric cryptography between communication counterparts, so that unless you’re the NSA it should be challenging to be a “man-in-the-middle” and read the communications in the clear. For this reason, what is needed is insight at a counterpart endpoint, and in the client case for a web application this is the web browser. The web browser itself obviously must be able to encrypt and decrypt communications with a web application server, so it is here that one can capture and analyze HTTPS packets in plaintext format.

There are a variety of browser-specific add-ons that are available to capture and present sent and received HTTPS communications in plaintext format. One example that I have found helpful is HttpFox, an extension for Mozilla-based browsers such as the Firefox browser. HttpWatch is another solution that works for Firefox and on iOS devices (iPhone, iPad) as its own browser.

HttpFox Firefox browser add-on

Below is a screen shot of HttpFox in action — it has captured several HTTPS communications with a website, including a highlighted GET method to obtain some JavaScript:

HttpFox HTTPS Capture

It should be noted that while browser extensions such as HttpFox are helpful for capturing and analyzing secure encrypted communications with browsers, these are not helpful for decrypting communications to/from other client applications because these other applications are TLS counterpart endpoints that are using cryptography without providing insight into the communications.